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DETAILED ACTION 

1 . In response to the previous office action, Applicant has amended claims 24, 27, 
28, 30, 34, 35, and 43. Claims 24, 26-31, 33-44, and 46-54 have been examined. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

2. Claims 24, 26, 28-30, 33-38, 40, 43, 46-50, and 52 are rejected under 35 
U.S.C. 103(a) as obvious over U.S. Patent No. 6,141 ,760 to Abadi et al. in view of U.S. 
Patent No. 6,826,686 to Peyravian et al. further in view of Schneier, "Applied 
Cryptography," 1996, pp. 165-166 and 429-431. 

Regarding claims 24, 26, 30, 33, 34, 36, 37, 40, 43, 46-49, 50, and 52, Abadi 
discloses a method for constructing a password specific to a service (an application) by 
hashing the name of the service (input data) from the user (see column 3, lines 4-5), a 
master password (the strong password) and the user name (see abstract). The 
password is then submitted to the application (see column 3, lines 60-62). The system 
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is designed to construct passwords for all services which a user uses, including client 
software applications (see column 2, lines 41-56). 

Abadi does not explicitly describe the use of a random salt in password creation. 

Peyravian discloses the integration of a client-specific and a server-specific 
random number hashed with a userjd and master user password (see column 4, lines 
32-57), and suggests that this allows for password agreement without the need for a 
key pair or agreed-upon key while preventing replay attacks (see column 2, line 66 to 
column 3, line 10). 

Therefore it would be obvious to one of ordinary skill in the art at the time the 
invention was made to modify the invention of Abadi by integrating a client-specific and 
a server-specific random number hashed with a userjd and master user password, as 
disclosed by Peyravian, as this allows for password agreement without the need for a 
key pair or agreed-upon key while preventing replay attacks. 

Abadi also does not disclose passwords that are only valid for a specified time 

period. 

Peyravian further discloses the use of time-out mechanisms to maintain the 
secrecy of passwords (see column 4, lines 21-24). 

Therefore it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to further modify the invention of Abadi by incorporating a time- 
out mechanism, as disclosed by Peyravian, to maintain the secrecy of passwords. 

Using Abadi in view of Peyravian, a user would only need to remember the 
master password. 
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Abadi and Peyravian only disclose the computing of the hash a single time. 

Schneier discloses an algorithm for iteratively hashing a value any number of 
times (see "Length of One-Way Hash Functions," pp.430-431), and notes that additional 
hashing increases resistance to birthday attacks (see pp. 429-430; a description of 
birthday attacks in found on pp. 165-166). 

Therefore it would been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the invention of Abadi and Peyravian by hashing a value 
multiple times, as disclosed by Schneier, to increase resistance to birthday attacks. 

As per claims 28 and 35, a single master password is used to create multiple 
application passwords. 

Regarding claims 29, the incorporation of a server-specific random number, the 
salt value is unique to each application. 

Regarding claims 34, 47, and 48, Abadi does not disclose a mechanism for 
changing passwords if it is determined that a change is necessary. 

Peyravian discloses a mechanism for changing passwords if the master 
password is changed (due to a time-out, for example), because the password may have 
been discovered by someone else (see whole document, especially column 4, lines 21- 
31). 

Therefore it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to modify the invention of Abadi by supplying a mechanism to 
change passwords is the master password needs changing, as disclosed by Peyvarian, 
because the password may have been discovered by someone else. 
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As per claim 38, a networked system is used (see Abadi, column 2, lines 21-23). 

3. Claim 27 is rejected under 35 U.S.C. 103(a) as being unpatentable over U.S. 
Patent No. 6,141,760 to Abadi et al. in view of U.S. Patent No. 6,826,686 to Peyravian 
et al. in view of Schneier, "Applied Cryptography," 1996, pp. 165-166 and 429-431 as 
applied to claim 24 above, and further in view of U.S. Patent No. 5,719,941 to Swift et 
al. 

Abadi, Peyravian, and Schneier do not disclose the use of the old password in 
the method. 

Swift discloses the use of the generated old password in the forming of the 
encryption/decryption key (see abstract), and further suggests that this ensures that the 
source of the new password is authorized to change the password (see column 3, lines 
26-31). 

Therefore it would be obvious to one of ordinary skill in the art at the time the 
invention was made to modify the invention of Abadi, Peyravian, and Schneier by using 
the old password in the password updating algorithm, as disclosed by Swift, as this 
ensures that the source of the new password is authorized to change the password. 

4. Claims 31 and 44 are rejected under 35 U.S.C. 103(a) as obvious over U.S. 
Patent No. 6,141 ,760 to Abadi et al. in view of U.S. Patent No. 6,826,686 to Peyravian 
et al. in view of Schneier, "Applied Cryptography," 1996, pp. 165-166 and 429-431 as 
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applied to claims 30 and 43 above and further in view of U.S. Patent No. 6,006,333 to 
Nielsen. 

Over and above what is described and Abadi, Peyravian, and Schneier above, 
Abadi discloses the generation of user names for storage in a set of user names (203), 
which is then retrieved to generate the password (see column 3, lines 22-45). 

Abadi, Peyravian, and Schneier do not specifically disclose a test to see if the 
user name already exists. 

Nielsen discloses a system for maintain passwords for different applications 
wherein there is a check to see if a password exists, and an entry may be created if 
none exists. This is done to allow the user to register at the new site (see column 5, 
lines 40-61). 

Therefore it would be obvious to one of ordinary skill in the art to modify the 
invention of Abadi, Peyravian, and Schneier by checking to see if a password exists, 
and an create an entry if none exists, as disclosed by Nielsen, in order to allow the user 
to register at the new site. 

5. Claims 39 and 51 are rejected under 35 U.S.C. 103(a) as obvious over U.S. 
Patent No. 6,141,760 to Abadi et al. in view of U.S. Patent No. 6,826,686 to Peyravian 
et al. in view of Schneier, "Applied Cryptography," 1996, pp. 165-166 and 429-431 as 
applied to claims 30 and 43 above and further in view of U.S. Patent No. 6,064,736 to 
Davis et al. 
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Abadi, Peyravian, and Schneier do not disclose the algorithm to be used in the 
construction of the hash. 

Davis discloses the use of the MD5 algorithm for constructing a password hash, 
and suggests that this allows a server to transport information safely to a client (see 
column 3, lines 56-65). 

Therefore it would be obvious to one of ordinary skill in the art to modify the 
invention of Abadi, Peyravian, and Schneier by using the MD5 algorithm for constructing 
the password hash, as disclosed by Davis, as this allows a server to transport 
information safely to a client. 

6. Claims 41, 42, 53, and 54 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over U.S. Patent No. 6,141,760 to Abadi et al. in view of U.S. Patent No. 
6,826,686 to Peyravian et al. in view of Schneier, "Applied Cryptography," 1996, pp. 
165-166 and 429-431 as applied to claims 30 and 43 above, and further in view of U.S. 
Patent No. 6,601 , 1 75 to Arnold et al. 

Abadi in view of Peyravian does not provide for a password that is only valid for a 
limited time period based on platform activity. 

Arnold discloses the derivation of limited-time passwords for local computer use 
or remote administration, which can be created on an as-needed basis (based on 
platform activity), and further suggests that this is done to prevent a user from re- 
configuring a computer after learning the administrative password (see column 5, lines 
10-44). 
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Therefore it would be obvious to one of ordinary skill in the art at the time the 
invention was made to modify the invention disclosed by Abadi, Peyravian, and 
Schneier by supporting limited-time passwords, as disclosed by Arnold, to prevent a 
user from re-configuring a computer after learning the administrative password. 

Response to Arguments 

7. Applicant's arguments, see Remarks, filed 19 December 2005, with respect to 
the rejections of the claims under 35 U.S.C. 103 have been fully considered and are 
persuasive in view of Applicant's amendments. Therefore, the rejection has been 
withdrawn. However, upon further consideration, new grounds of rejection are made in 
view of the previously cited art in view of Schneier. 

Conclusion 

8. Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 

§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the* event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
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mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

9. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Matthew E. Heneghan, whose telephone number is 
(571 ) 272-3834. The examiner can normally be reached on Monday-Friday from 8:30 
AM - 4:30 PM Eastern Time. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu, can be reached at (571 ) 272-3859. 

Any response to this action should be mailed to: 

Commissioner of Patents and Trademarks 
P.O. Box 1450 
Alexandria, VA 2231 3-1 450 
Or faxed to: 

(571)273-3800 

Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whose telephone number is (571 ) 272- 
2100. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
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For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 



MEH fo> 
February 22, 2006 




TECHNOLOGY CENTER ziuu 



